An Overview of STIR/SHAKEN: What it is and Why it is Important

Receiving an incoming call from an unfamiliar number and deciding whether to answer has become a pervasive challenge for many. The prevalence of sophisticated robocalls and Caller ID spoofing has introduced a frustrating element into daily life. While not every robocall or caller ID spoof is illicit, those with malicious intent can waste time, jeopardize personal information, and even lead to financial loss for the call recipient. To address these issues, the FCC has issued clear directives for how voice service providers in the United States should manage calls, including a mandate to implement STIR/SHAKEN.

What is STIR/SHAKEN?

STIR/SHAKEN is a framework comprising technical protocols and implementation procedures. It is used by originating service providers to authenticate a caller's identity (Caller ID) and enables terminating service providers to verify the Caller ID, reducing the risk of fraudulent robocalls. STIR/SHAKEN consists of two components: STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted Information Using Tokens).

STIR

STIR, developed by the Internet Engineering Task Force (IETF), is a protocol providing a digital signature with the correct calling party credentials. These digital signatures, embedded in Session Initiation Protocol (SIP) messages, carry calling and called party information.

SHAKEN

SHAKEN is the applied framework for deploying STIR technology within carrier networks. Developed in conjunction with STIR, SHAKEN helps service providers authenticate and verify calls made over an IP network.

How Does STIR/SHAKEN Work?

The STIR/SHAKEN process, at a high level, employs key cryptography standards to authenticate IP phone calls. In more detail, the process involves eight steps:

1. Receiving the SIP Invite and Assigning the Attestation Level: The originating provider receives a SIP INVITE with caller information and assigns an attestation level to the caller.

2. Assigning the Attestation Level: The originating provider categorizes the call into one of three attestation levels: A (Full Attestation), B (Partial Attestation), or C (Gateway Attestation).

3. Adding Certificate Information: The originating provider augments the SIP INVITE's Identity Header with the service provider origination identifier, attestation level, and an encrypted digital certificate.

4. Receiving SIP INVITE with Augmented Identity Header: The terminating provider decrypts the certificate information and examines the SIP identity header data.

5. Sending SIP Identity Header Information for Verification: The terminating provider sends the SIP identity header information to a STIR/SHAKEN verification service.

6. Validating Certificate Information: The verification service validates the call's certificate information using certificate repositories.

7. Returning SIP Identity Header Information: After verification, the service returns SIP Identity header information to the terminating provider.

8. Recipient Receives the Call: With the completion of the STIR/SHAKEN protocol, the recipient receives the call, knowing that the caller's identity has been authenticated and verified.

While the process may seem intricate, it serves as a robust defense against bad actors with malicious intentions, offering protection to both service providers and consumers.

Why is STIR/SHAKEN Important?

STIR/SHAKEN is crucial in combating the rise of robocalls and Caller ID spoofing. Its significance lies in:

• Minimizing Potential Fraud: STIR/SHAKEN aims to protect consumers from personal information and fund exposure, reducing the risk of fraudulent activities such as spoofing credit card validation services.

• Reducing Robocalls: By validating Caller ID, STIR/SHAKEN specifically targets the reduction of robocalls made with spoofed Caller IDs, improving the overall call experience for consumers.

• Protecting Business Reputation: Service providers benefit from STIR/SHAKEN by offering safer, more controlled services, enhancing their reputation and trustworthiness.

While STIR/SHAKEN is a significant step in reducing malicious robocalls, it doesn't eliminate the problem entirely. Providers should complement it with additional security measures, including personalized call screening and blocking tools.

What STIR/SHAKEN Can and Can't Do

STIR/SHAKEN, while effective, has limitations:

• Cannot Legally Punish Scammers: STIR/SHAKEN cannot legally punish scammers; it primarily focuses on authenticating and verifying caller identity.

• No Guarantee of Intent: While it validates Caller ID, STIR/SHAKEN cannot guarantee a specific robocall's intent. Additional security measures are necessary for a comprehensive approach.

Mitigate Robocalls with Peeringhub's STIR/SHAKEN Solutions

Peeringhub provides robust STIR/SHAKEN solutions to protect consumers from unlawful robocalls and caller ID spoofing. With options such as hosted STIR/SHAKEN as a Service (S/SaaS) or the Ribbon Secure Telephone Identity solution, service providers can choose the right solution to authenticate caller identity and reduce the risk of cybercrimes.

Combat robocalls effectively with Peeringhub's STIR/SHAKEN solutions and restore trust in caller ID validity. Learn more about which solution suits your needs at peeringhub.io.